Teradata Data Processing Addendum

1. Definitions

1.1 “Affiliate(s)” means any entity which directly or indirectly controls, is controlled by, or is under common control with, the subject entity.  

1.2 “California Personal Information” means Personal Data that is subject to the protection of, and as defined under, the CPRA.

1.3 “Consumer”, “Business”, “Sell”, “Service Provider” and “Share” will have the meanings given to them in the CPRA.

1.4 “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

1.5 “CPRA” means California Civil Code Sec. 1798.100 et seq. (also known as the California Privacy Rights Act of 2020), as may be amended, repealed, consolidated, or replaced from time to time.

1.6 “Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party as they relate to Processing Personal Data under the Agreement, including without limitation European Data Protection Laws, the CPRA and the data protection and privacy laws of Canada, China, Australia and Singapore; in each case as amended, repealed, consolidated, or replaced from time to time.

1.7 “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.  

1.8 “DPA Effective Date” means the earlier of the (i) effective date of the Agreement; or (ii) the date (x) when Customer clicks a “Create Contract” check box or similar button that includes a link to these terms on the marketplace of a Cloud Platform if applicable; or (y) last signature date of this DPA.  

1.9 “Europe” means the European Union, the European Economic Area and/or their member states, Switzerland, and the United Kingdom.   

1.10 “European Data” means Personal Data that is subject to the protection of European Data Protection Laws.  

1.11 “European Data Protection Laws” means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) the UK GDPR and the Data Protection Act 2018; and (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance (“Swiss DPA”); in each case, as may be amended, superseded or replaced.    

1.12 “Instructions” means the written, documented instructions issued by a Controller to a Processor that direct the same to perform a specific or general action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).  

1.13 “Permitted Affiliates” means any of your Affiliates that (i) are permitted to use the Services pursuant to the Agreement but have not signed their own separate agreement with Teradata and are not a “Customer”, as defined under the Agreement,  and that (ii) qualify as a Controller of Personal Data Processed by Teradata.  

1.14 “Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data, personal information, or personally identifiable information under applicable Data Protection Laws.  

1.15 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed by us and/or our Sub-Processors in connection with the provision of the Services. “Personal Data Breach” will not include unsuccessful attempts or activities that do not lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.  

1.16 “Data Privacy Framework” means the EU-U.S., Swiss-US and UK-US Data Privacy Framework self-certification program operated by the U.S. Department of Commerce and approved by the European Commission, and when approved by the Swiss Federal Council and the UK , respectively; as may be amended, superseded, or replaced.  

1.17 “Data Privacy Framework Principles” means the Data Privacy Framework Principles issued by the U.S. Department of Commerce, including Supplemental Principles and Annex 1 of the Principles; as may be amended, superseded, or replaced.  

1.18 “Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, or erasure of Personal Data, whether or not by automated means. The terms “Process”, “Processes” and “Processed” will be construed accordingly.  

1.19 “Processor” means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.  

1.20 “Purposes” means (i) Teradata’s provision of the Services as described in the Agreement and this DPA; and (ii) further documented, reasonable Instructions, if any, from Customer agreed upon by the Parties.  

1.21 “Service(s)” means any Teradata services or products to the extent that they conduct Processing on behalf of Customer, including any services under any master services agreement or cloud services under any cloud service agreement.  

1.22 “Standard Contractual Clauses” means the standard contractual clauses  annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 Module Two: Transfer Controller to Processor (C2P), found at ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en, as may be amended, superseded, or replaced. 

1.23 “Sub-Processor” means any Processor engaged by us or Teradata Affiliates to assist in fulfilling our obligations with respect to the provision of the Services under the Agreement. Sub-Processors may include third parties or Teradata Affiliates but will exclude any Teradata employee or consultant.  

1.24 “UK Clauses” means the UK International Data Transfer Agreement  VERSION A1.0, in force 21 March 2022, as may be amended, superseded or replaced.  

1.25 “Usage Data” means any data that Teradata may collect and use regarding Customer’s use of Teradata’s Services to extent that such Usage Data is used to develop, improve, support, and operate such Services.  

3. ROLES AND SCOPE OF DATA PROCESSING

3.1 The parties acknowledge and agree that Teradata is conducting such Processing on your behalf, and therefore you are the Controller and Teradata is the Processor. To the extent any Usage Data is considered personal data under applicable Data Protection Laws, Teradata is the Data Controller of such data and shall Process such data in accordance with this DPA and applicable Data Protection Laws.  

3.2 Compliance with Laws. The parties shall each comply with their respective obligations under the Data Protection Laws applicable to them or the Services they provide. In your acquisition of the Services, you shall have all necessary rights to process, and will process, Personal Data only in accordance with Data Protection Laws. 

3.3 Compliance with Instructions. The parties agree that the Agreement (including this DPA), together with your use of the Service in accordance with the Agreement, constitute your complete Instructions to us in relation to the Processing of Personal Data, so long as you may provide additional instructions to be agreed upon in writing during the Term that are consistent with the Agreement, the nature and lawful use of the Service. We will only Process Personal Data for the Purposes described in this DPA or as otherwise agreed within the scope of your lawful Instructions, except where and to the extent otherwise required by applicable law. Should we reasonably believe that a specific Processing activity beyond the scope of your Instructions is required to comply with a legal obligation to which we are subject, we will inform you of that legal obligation and seek explicit authorization from you before undertaking such Processing. 

3.4 Conflict of Laws. If we become aware that we cannot Process Personal Data in accordance with your Instructions due to a legal requirement under any applicable law, we will (i) promptly notify you of that legal requirement to the extent permitted by the applicable law; and (ii) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as you issue new Instructions with which we are able to comply.  

3.5 Details of Processing. Specific details of Data Processing, including subject-matter, duration nature and purpose of the Processing, Data Subjects and categories of data are defined in principle in the Agreement and in detail in Annex 1. Teradata’s Privacy Policy can be viewed on Teradata’s website www.teradata.com. In the event of any inconsistency or conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.  

5. CONFIDENTIALITY

We will ensure that any personnel who Process Personal Data on our behalf are subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Personal Data.  

7. DELETION OR RETURN OF PERSONAL DATA

We will, without undue delay, delete or return Customer Data, including Personal Data, upon termination of the Agreement in accordance with the procedure and timeframe specified in the Agreement. We may retain Customer Data, including Personal Data, to the extent and for such period as required by applicable laws and always provided that we will protect the confidentiality of all such Customer Data, including Personal Data, and shall implement technical and operational controls generally accepted in the security industry as adequate to ensure that such Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.  

9. SUB-PROCESSORS

9.1 Where we engage Sub-Processors, we will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those in this DPA (including, where appropriate, the Standard Contractual Clauses), to the extent applicable to the nature of the services provided by such Sub-Processors. We will remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause us to breach any of our obligations under this DPA.

9.2 You provide us with a general authorization to engage Sub-processors, subject to Section 9.3 (Changes to Sub-processors), as well as our current Sub-processors listed at https://www.teradata.com/Privacy/Data-Processing-Addendum/Sub-Processors (Sub-Processor Site).

9.3 Teradata shall make available on its Sub-processor Site a mechanism to subscribe to notifications of new Sub-processors. Teradata shall provide such notification to those emails that have subscribed at least thirty (30) days in advance of allowing the new Sub-processor to Process Customer Personal Data (the “Objection Period”). During the Objection Period, any objections to the new Sub-processor must be provided in writing. In the event of reasonable objections based on data protection reasons, the Parties will discuss those objections in good faith. If it can be reasonably demonstrated to Teradata that the new Sub-processor is unable to Process Customer Personal Data in compliance with the terms of this DPA and Teradata cannot provide an alternative Sub-processor, or the Parties are not otherwise able to achieve resolution as provided in the preceding sentence, you may be entitled to terminate this DPA. Where you fail to object to such addition within such period of time, you will be deemed to have consented to such addition.

11. ADDITIONAL PROVISIONS FOR EUROPEAN DATA

11.1 Scope. This ‘Additional Provisions for European Data’ section shall apply only with respect to European Data.  

11.2 Data Protection Impact Assessments and Consultation with Supervisory Authorities. We will provide reasonable assistance to you with any data protection impact assessments, and prior consultations with supervisory authorities or other competent data privacy authorities to the extent required by European Data Protection Laws. Except where such is prohibited, we may make a reasonable charge for the provision of such assistance.  

11.3 Transfer Mechanisms for Data Transfers.  

11.3.1 Teradata shall not transfer European Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws) unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable European Data Protection Laws. Such measures may include (without limitation) transferring such data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, to a recipient that has achieved binding corporate rules authorization in accordance with European Data Protection Laws, or to a recipient that has executed appropriate standard contractual clauses in each case as adopted or approved in accordance with applicable European Data Protection Laws.  

11.3.2 Standard Contractual Clauses: The Parties, including their respective Affiliates, agree to abide by and process European Data in compliance with the Standard Contractual Clauses. Optional Clause 7 in Section I of the SCCs is incorporated and Permitted Affiliates and/or Teradata Affiliates may accede to this DPA and the SCCs under the same terms and conditions as Customer and/or Teradata, via mutual written agreement of the Parties.  

11.3.3 Swiss Addendum to the Standard Contractual Clauses

1. This Section 11.3.3 amends the Standard Contractual Clauses to the extent necessary so they operate for transfers made by the data exporter to the data importer, to the extent that the Swiss Data Processing Act apply to the data exporter’s processing when making that transfer.   
2. The Standard Contractual Clauses shall be amended with the following modifications: 
3. references to "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss DPA (as applicable); 
4. references to specific Articles of "Regulation (EU) 2016/679" shall be replaced with the equivalent article or section of the Swiss DPA; 
5. references to Regulation (EU) 2018/1725 shall be removed; 
6. references to "EU", "Union" and "Member State" shall be replaced with references to  "Switzerland"; 
7. Clause 13(a) and Part C of Annex I are not used and the "competent supervisory authority" shall be the Swiss Federal Data Protection Information Commissioner; 
8. references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Swiss Federal Data Protection Information Commissioner" and "applicable courts of Switzerland" ; 
9. in Clause 17, the Standard Contractual Clauses shall be governed by the laws of Switzerland (as applicable); and 
10. to the extent the Swiss DPA applies to the Processing, Clause 18 shall be replaced to state: “Any dispute arising from these Clauses shall be resolved by the competent courts of Switzerland. The Parties agree to submit themselves to the jurisdiction of such courts”.  

11.3.4 Data Privacy Framework: Teradata has self-certified to the Data Privacy Framework and will process European Data in compliance with the Data Privacy Framework Principles and let you know if it is unable to comply with this requirement. Any new Data Privacy Framework or equivalent agreement that may be reached between the EU and the USA and/or Switzerland and the USA, and/or if applicable the UK and the USA, shall be deemed applicable to this DPA and the Agreement with immediate effect, unless Teradata notifies you to the contrary, and will govern applicable transfers instead of the Standard Contractual Clauses (or if applicable, any UK equivalent).  

11.3.5 The parties agree that for the purposes of the Standard Contractual Clauses, (i) Teradata Operations, Inc., or the applicable Teradata Affiliate as the case may be, will be the “data importer” and Customer will be the “data exporter” (on behalf of itself and Permitted Affiliates); (ii) the Annexes of the Standard Contractual Clauses shall be deemed populated with the relevant information set out in Annex 1 and the Security Measures, and where applicable other provisions, of this DPA; (iii) where the Teradata contracting entity under the Agreement is not Teradata Operations, Inc., such contracting entity (and not Teradata Operations, Inc.) will remain fully and solely responsible and liable to you for the performance of the Standard Contractual Clauses by Teradata Operations, Inc., and you will direct any instructions, claims or enquiries in relation to the Standard Contractual Clauses to such contracting entity; and (iv) if and to the extent the Standard Contractual Clauses conflict with any provision of this DPA, the Standard Contractual Clauses will prevail to the extent of such conflict.  

11.3.6 Transfers Out of the United Kingdom (“UK”).  The UK Clauses, or updated applicable standard data protection clauses issued, adopted or permitted under the UK GDPR from time to time, shall be incorporated by reference, and the annexes, appendices or tables of such clauses shall be deemed populated with the relevant information set out in Annex 1 and the Security Measures, and where applicable other provisions, of this DPA.   

11.3.7 If for any reason Teradata cannot comply with its obligations under the Standard Contractual Clauses or UK Clauses or is in breach of any warranties under the Standard Contractual Clauses or UK Clauses, and you intend to suspend the transfer of European Data to Teradata or terminate the Standard Contractual Clauses or UK Clauses, you agree to provide us with reasonable notice to enable us to cure such non-compliance and reasonably cooperate with us to identify what additional safeguards, if any, may be implemented to remedy such non-compliance. If we have not or cannot cure the non-compliance, you may suspend or terminate the affected part of the Service in accordance with the Agreement without liability to either party (but without prejudice to any fees you have incurred prior to such suspension or termination).  

13. DEMONSTRATING COMPLIANCE BY INSPECTION OR AUDIT 

13.1 Teradata shall (i) make available to Customer for inspection all necessary information, and (ii) shall allow for and contribute to audits by Customer or a third-party auditor mandated by Customer, to demonstrate compliance with its obligations regarding Processing of Personal Data under this Addendum. Unless applicable law provides otherwise, Customer may only conduct an audit if, and to the extent that, documentation provided by Teradata (such as but not limited to an independent SOC audit report or other documentation detailed under the Agreement) does not contain the information necessary to establish such compliance. Where applicable laws do not require Supplier facilitate such inspections/audits, Customer has no right to inspect/audit.  

13.2 Ninety days’ advance notice of any inspection or audit will be provided in writing and will only be conducted during normal working hours and at agreed times, including in respect of Sub-Processors. Teradata may make reasonable charges for any inspection/audit, including for any follow up requests and information provided. Customer will not exercise this right more than once per calendar year unless there are reasonable grounds to suspect non-compliance with the DPA.  

13.3 Unless otherwise agreed, Customer (or its designated auditor) will not be given (i) direct or control access to any computer system controlled by Teradata or its Sub-Processors, (ii) any information that could plausibly be used to exploit any vulnerabilities in any Teradata computer system or circumvent any Teradata security controls or measures, or (iii) any data received by Teradata from on or behalf of any other customer, supplier or other third party.  

13.4 The parties agree that you will, when reviewing Teradata’s compliance with this DPA pursuant to this ‘Demonstration of Compliance’ section, take all reasonable measures to limit any impact on us and our Affiliates by combining several audit requests carried out on behalf of the Customer entity that is the contracting party to the Agreement and all of its Permitted Affiliates in one single audit.  

15. PARTIES TO THIS DPA

15.1 Permitted Affiliates. By signing the Agreement, you enter into this DPA (including, where applicable, the Standard Contractual Clauses) on behalf of yourself and in the name and on behalf of your Permitted Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the terms “Customer”, “you” and “your” will include you and such Permitted Affiliates and you hereby represent that you are entitled to do so.  

15.2 Remedies. The parties agree that (i) solely the Customer entity that is the contracting party to the Agreement will exercise any right or seek any remedy any Permitted Affiliate may have under this DPA on behalf of its Affiliates, and (ii) the Customer entity that is the contracting party to the Agreement will exercise any such rights under this DPA not separately for each Permitted Affiliate individually but in a combined manner for itself and all of its Permitted Affiliates together. The Customer entity that is the contracting entity is responsible for coordinating all Instructions, authorizations and communications with us under the DPA and will be entitled to make and receive any communications related to this DPA on behalf of its Permitted Affiliates.    

B. DESCRIPTION OF TRANSFER

Categories of Data Subjects whose Personal Data is Transferred 

You may submit Personal Data in the course of using the Service, the extent of which is determined and controlled by you in your sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects, unless otherwise specified in an Order:  

• Your customers
• Your prospects
• Your website visitors
• Your employees and contractors
• Your suppliers

Categories of Personal Data Transferred  

You may submit Personal Data to the Subscription Services, the extent of which is determined and controlled by you in your sole discretion, and which may include but is not limited to the following categories of Personal Data, unless otherwise specified in an Order: 

• email addresses 
• mobile number 
• landline number 
• last name, first name 
• postal address 
• date of birth 
• information showing the opening of received emails; clicks of links within the received emails; IP addresses 
• financial information 
• online behaviour 
• marital status and dependents

Sensitive Data or Special Categories of Data transferred and applied restrictions or safeguards

The parties do not anticipate the transfer of sensitive data.  

Frequency of the transfer

The parties do not anticipate the transfer of data to be continuous. 

Nature of the Processing 

Personal Data will be Processed as needed for the Purposes in accordance with the Agreement (including this DPA).  

Purpose of the transfer and further processing 

We will Process Personal Data as necessary to provide the Services pursuant to the Agreement, as further specified in the Order Form, and as further instructed by you in your use of the Services. Such Services may include: 

• Providing, maintaining and supporting the infrastructure of the Teradata data analytics cloud services environment, including support in operations and administration, system performance support and monitoring, system administration, security measures and user security administration and disaster recovery and business continuity services 
• Providing of customer services including support and maintenance of customers’ cloud and on-premise software systems and providing a customer help desk  
• Providing of professional services for the Teradata data analytics customers including consulting, development, implementation, and like tasks

Period for which Personal Data will be retained 

Subject to the 'Deletion or Return of Personal Data' section of this DPA, we will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.